192.168.2.113 This is the machine which is sending the exploit. It is a SuSE 8.0 Pro box.

192.168.2.101 This is the victim machine. It is Win2K Pro Svc Pack I This machine is unprotected ie: no firewall or filtering router in front of it.

All of the lab machines are connected via an SMC Barricade switch. This can effectively simulate the below noted packets arriving to their destination without actually sending them over the internet. As well please note that my references to src machine mean the source computer pushing across the exploit, and that dst equates to destination computer.

The below noted packet trace has been truncated for the sake of brevity. There were over a thousand packets exchanged during the exploit itself, and subsequent cursory manipulation of the victim machine. The entire packet trace can be found on the enclosed floppy. Also note that the below noted packet trace is done in a time sequential order vice a hodge podge of packets ie: from the beginning of the exploit to the end. That being said please see the below noted packet trace for an explanation of the exploit, as well as to see it in action. The text below a packet references the packet directly above it. The packet trace follows the below noted invocation of the exploit itself, and the resulting command prompt returned.

Here we have the src machine pushing across the actual shell code itself. Note the packet is maximal length ie: 1500 bytes, and that the references to “meow” seen above are for debugging purposes to see if the exploit runs properly. Note again the large amount of “no op’s” in the packet. This is always a characteristic of buffer overflows, and many vulnerabilities found in Windows.

The exploit has now been pushed over to the victim machine and the source computer will now begin a graceful teardown of the connection on port 135 as seen above. Note that the teardown sequence is; fin/ack, ack, ack, fin/ack

At this point you could either continue manipulating the victim machine or pretty much do whatever you desired. This however is where the packet trace ends for analysis purposes, as both the start of the exploit, and victim manipulation have been shown.

Exploit countermeasures

The first would be to install the patch from Mircosoft. Symantec has them nicely listed here. Another method would be to simply disable the DCOM service itself. There is a step by step method here on how to disable it. Lastly as well it should be noted that as a home user you should bebehind a firewall at the least as well. Some free firewalls are zonealarm, as well as TPF by Kerio, and Agnitum Outpost. Of the three I would recommend either TPF or Outpost.

We hope that you found this helpful in gaining an understanding of how the exploit itself works. Should you have any suggestions on how to improve this please let me know. Also if there are parts that you do not understand please let us know, and we will attempt to clarify.

Last edited by alt.don on Thu Aug 14, 2003 4:49 pm; edited 2 times in total